All release artifacts are signed with PGP. Follow these instructions to verify artifacts against their signatures.

  • Download the public key. Save it as jreleaser.asc.

  • Verify the fingerprint matches the following:

$ gpg --show-keys jreleaser.asc
pub   rsa4096 2021-02-10 [SC] [expires: 2031-02-08]
uid                      Andres Almiray <aalmiray@********.com>
sub   rsa4096 2021-02-10 [E] [expires: 2031-02-08]
  • Import the key with gpg --import jreleaser.asc.

  • Verify the chosen artifact with:

$ gpg --verify
gpg: Signature made Tue Dec 13 06:51:49 2022 CET
gpg:                using RSA key CCC55C5167419ADB
gpg: Good signature from "Andres Almiray <aalmiray@********.com>" [ultimate]


Starting with v1.4.0 JReleaser provides SLSA provenance for all release artifacts. Follow these instructions to verify artifacts.

$ slsa-verifier verify-artifact \
   --provenance-path jreleaser-all-early-access.intoto.jsonl \
Verified signature against tlog entry index 8865454 at URL:
Verified build using builder at commit caa516c7c52ca72a352f97e4153334080f8b7f43
PASSED: Verified SLSA provenance